Archive of CERT general posting, CERT Vendor-Initiated Bulletin VB-97.13 - GlimpseHTTP.WebGlimpse

15/11/97, CERT Vendor-Initiated Bulletin VB-97.13 - GlimpseHTTP.WebGlimpse
From: CERT Bulletin <>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Subject: CERT Vendor-Initiated Bulletin VB-97.13 - GlimpseHTTP.WebGlimpse
From: CERT Bulletin <>
Date: Fri, 14 Nov 1997 16:47:00 -0500
Organization: CERT(sm) Coordination Center - +1 412-268-7090


CERT* Vendor-Initiated Bulletin VB-97.13
November 14, 1997

Topic:	Vulnerability in GlimpseHTTP and WebGlimpse CGI scripts
Source:  Project FUSE, University of Arizona
Related CERT documents:

To aid in the wide distribution of essential security information, the CERT
Coordination Center is forwarding the following information from Project FUSE,
University of Arizona. Project FUSE urges you to act on this information as
soon as possible. Project FUSE contact information is included in the
forwarded text below; please contact them if you have any questions or need
further information.

Please note that there is related information about these vulnerabilities in
AUSCERT Advisory AA-97.28, "Vulnerability in GlimpseHTTP and WebGlimpse
cgi-bin Packages", available from

=======================FORWARDED TEXT STARTS HERE============================

Problem: Vulnerability in GlimpseHTTP 2.0 and
         WebGlimpse versions prior to 1.5

I. Description

A vulnerability exists in the GlimpseHTTP web search package.  A related
vulnerability exists in the WebGlimpse web search package prior to version
1.5 (the latest version).  These packages are popular collections of tools
that provide easy-to-use interface to Glimpse, an indexing and query
system, to provide a search facility on web sites.

Due to insufficient argument checking by some of GlimpseHTTP and older
WebGlimpse routines, intruders may be able to force it to execute arbitrary
commands with the privileges of the httpd process.  Attacks against
GlimpseHTTP using these vulnerabilities have been reported.

Similar attacks have been reported on other scripts, and it is a good idea
now to check all your CGI scripts.  For more information see

To check whether exploitation of this vulnerability has been attempted at
your site, search for unusual accesses to aglimpse in your access logs.
An example of how to do this is:

# egrep 'aglimpse.*IFS' {WWW_HOME}/logs/access_log

Where {WWW_HOME} is the base directory for your web server.

If this command returns anything, further investigation is necessary.

Up-to-date information regarding these vulnerabilities can be obtained from
the authors of GlimpseHTTP and WebGlimpse at

Although the attacks against GlimpseHTTP have focused on version 2.0,
similar attacks may be possible on earlier versions.

II. Impact

Remote users may be able to execute arbitrary commands with the privileges
of the httpd process which answers HTTP requests.  This may be used to
compromise the http server and under certain configurations gain privileged
access.  Current attacks concentrated on obtaining the /etc/passwd file on
systems that do not provide shadow passwords.

III. Solution

The authors have decided to stop supporting GlimpseHTTP, and instead have
released a new version (1.5) of WebGlimpse, which has most of the features
of GlimpseHTTP and many more.

Users of any version GlimpseHTTP are encouraged to upgrade to the new
WebGlimpse.  Users of earlier versions of WebGlimpse are also encouraged to
upgrade, as version 1.5 is more robust and more secure.  WebGlimpse can be
found at

For sites that cannot immediately install the current version of
WebGlimpse, it is recommended that you disable the version of GlimpseHTTP
or WebGlimpse you are using and use another script to interface to Glimpse.

Questions to the authors can be directed to

========================FORWARDED TEXT ENDS HERE=============================

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (FIRST). See

We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact
the CERT staff for more information.

Location of CERT PGP key

CERT Contact Information
- - ------------------------

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890

CERT publications, information about FIRST representatives, and other
security-related information are available from

CERT advisories and bulletins are also posted on the USENET newsgroup

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
In the subject line, type
        SUBSCRIBE  your-email-address

* Registered U.S. Patent and Trademark Office.

The CERT Coordination Center is part of the Software Engineering
Institute (SEI). The SEI is sponsored by the U. S. Department of Defense.

This file:

Version: 2.6.2


Previous message sorted by date: CERT Vendor-Initiated Bulletin VB-97.12 - opengroup
Next message sorted by date: CERT Vendor-Initiated Bulletin VB-97.14 - scoterm
Previous message sorted by thread: CERT Vendor-Initiated Bulletin VB-97.12 - opengroup
Next message by thread: CERT Vendor-Initiated Bulletin VB-97.14 - scoterm
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Feb 2000